1. Field of the Invention
The present invention relates to detecting computer worms in a computer network.
2. Background Art
A computer in a network is vulnerable to malicious activities in the network. One such threat is the computer worm. A worm is a process that spreads from one host to another across the network by stealthily copying and running itself on unsuspecting hosts. As the worm spreads and infects more and more hosts, the rate at which the worm can infect other hosts in the aggregate grows at an increasing, often exponential, rate.
A worm runs a copy of itself on an unsuspecting host by exploiting some vulnerability on the host. Since a worm is a computer process, it has the potential to execute malicious code on the host. For example, a worm may delete files or use the processing power of the host to make denial of service attacks on another host. Furthermore, as a worm copies itself to more and more hosts, the network traffic generated by the worm may cause major network congestion. The activities of a worm may impair a host and the network.
Since it is difficult to identify all the vulnerabilities of a host and to predict the new methods in which worms will exploit those vulnerabilities, automatic detection of new worms is particularly challenging.
Today, new worms are detected manually, often after the affects and damage of the new worm are well felt. Once a new worm is discovered, a particular characteristic of the worm is identified and this characteristic is used to detect the future presence of the known worm in the network. Hence, contemporary systems are generally limited to detecting worms that are known a priori.
What is needed is a method and system of detecting new worms automatically so that they may be detected and contained quickly before the worm spreads too far. Automatic detection and response is becoming an imperative because a newly released worm can infect millions of hosts in a matter of seconds.